b'                          UNCLASSIFIED\n\n       United States Department of State\n     and the Broadcasting Board of Governors\n               Office of Inspector General\n\n\n\n\n        Information Technology\n         Memorandum Report\n\n\nReview of the Information\n Security Program at the\n  Department of State\n\nReport Number IT-A-04-08, September 2004\n\n\n\n\n                              IMPORTANT NOTICE\n This report is intended solely for the official use of the Department of State or the\n Broadcasting Board of Governors, or any agency or organization receiving a copy\n directly from the Office of Inspector General. No secondary distribution may be\n made, in whole or in part, outside the Department of State or the Broadcasting\n Board of Governors, by them or by other agencies or organizations, without prior\n authorization by the Inspector General. Public availability of the document will\n be determined by the Inspector General under the U.S. Code, 5 U.S.C. 552.\n Improper disclosure of this report may result in criminal, civil, or administrative\n penalties.\n\n\n\n                           UNCLASSIFIED\n\x0c        Section 3545 of the Federal Information Security Management Act of 2002 (FISMA)1\ndirects each agency to conduct an annual independent evaluation of its information security\nprogram and practices. FISMA provides a comprehensive framework for establishing and\nensuring the effectiveness of controls over information technology (IT) that support federal\noperations and assets, and it provides a mechanism for improved oversight of federal agency\ninformation security programs. Also, Office of Management and Budget (OMB) implementation\nguidance for FISMA requires the Office of Inspector General (OIG) to assess the development,\nimplementation, and management of the agency-wide plans of action and milestones (POA&M)\nprocess and to focus on performance measures. In response, OIG performed an independent\nevaluation of the information security program and practices of the Department of State\n(Department).\n\n       The objective of this review was to assess the overall effectiveness of the Department\xe2\x80\x99s\ninformation security program. More details on the scope and methodology for this review are\ndiscussed in Appendix A. OIG received comments from the Department and incorporated them\nas appropriate within the body of the report. Comments from the Department are reprinted in\nAppendix B.\n\nRESULTS IN BRIEF\n        OIG found that the Department has taken a number of actions directed at improving the\neffectiveness of the Department\xe2\x80\x99s information security program since last year\xe2\x80\x99s independent\nevaluation. For example, the Department implemented a bureau-level Department FISMA\nscorecard. This performance scorecard, shared internally with senior management, is a one-page\nsnapshot of a bureau\xe2\x80\x99s progress in information assurance. The Department has deployed an\nautomated application tool to be used by the bureaus in an effort to automate the FISMA\nreporting process. The automated tool is designed to allow the Department to standardize web\nmanagement of self-assessments, POA&Ms, and performance measures. Further, the\nDepartment developed a web-based training tool that is used to meet the requirement that all\nemployees receive annual IT security awareness briefings. By using this web-based tool, the\nDepartment has the ability to track completion of annual awareness briefings electronically for\neach employee worldwide.\n\n        The Department has improved its POA&Ms process at headquarters since last year\xe2\x80\x99s\nevaluation. Restructuring of the certification and accreditation process, automation of FISMA\ndata submissions, and the development of a draft POA&Ms process guide have been\ninstrumental in helping the Department improve identification of its IT security vulnerabilities\nand address these issues through the POA&Ms process. In addition, the Department undertook\nan 18-month project to certify and accredit its major applications and general support systems.\nAs of the first week in September, the Department had processed and approved 92 percent of the\ngeneral support systems and major applications included in the project. The 18-month project\nhas been coordinated with OMB, and has moved the Department constructively forward to begin\nmeeting FISMA requirements in a key area where it previously had been failing.\n\n\n\n\n1\n    Pub. L. No. 107-347, Title III, Sec. 301(b)(1); 44 U.S.C. 3545.\n                                                                                                  2\n\x0c        However, OIG found several key areas that still require senior management attention.\nThe Department has not adequately coordinated and shared information with relevant\nDepartment parties, such as Critical Infrastructure Protection (CIP) officials, involved in\nidentifying and addressing IT security vulnerabilities for the POA&Ms process. At the time of\nthis evaluation, the Department had not developed procedures to ensure that IT security findings\nwere being addressed in the POA&Ms process nor had it extended the process to include its\ndomestic and overseas sites.\n\n        Further, the Department inventory of IT systems remains incomplete and needs to be\nupdated by the responsible Department officials, as required by FISMA. Whereas 92 percent of\nthe general support systems and major applications included in the Department\xe2\x80\x99s 18-month\nsystems authorization project completed certification and accreditation, the total universe of\napplications and systems for the Department has still not been identified fully. As a result, the\npercentage of systems and applications that have been certified and accredited for the\nDepartment are substantially less than the 92 percent reported for the project. Also, the\nDepartment lacks procedures to identify the number of contractor services or facilities\nperforming work for the Department using their own systems or connecting to the Department\nnetworks. The Department\xe2\x80\x99s patch management program needs improvement. Patch\nmanagement roles and responsibilities still remain unclear to post officials, and posts are unsure\nof the procedures for installing patches or obtaining assistance.\n\n        The Department continues to fragment responsibility for information systems security\nand to date has developed no effective coordinating or monitoring mechanism to ensure that\ndelegated responsibilities are effectively accomplished. Further, the implementation of\ninformation security at overseas posts requires increased Department attention.\n\nBACKGROUND\n        Information security is imperative to any organization that depends on information\nsystems and computer networks to carry out its mission. The expansion in computer\ninterconnectivity and the rapid increase in the use of the Internet are changing the way the\ngovernment, private sector, and much of the world communicate and conduct business.\nHowever, without proper safeguards, these developments pose serious risks that make it easier\nfor people and groups with malicious intent to intrude into inadequately protected systems and\nuse such access to obtain sensitive information, commit fraud, disrupt operations, or launch\nattacks against other computer networks and systems. Further, the number of people with\ncomputer skills is increasing, and intrusion techniques and tools are readily available and\nrelatively easy to use.\n\n        Faced with continued concerns about information security risks to the federal\ngovernment, Congress passed and the President signed the FISMA into law in December 2002.\nThe new law recognizes the highly networked nature of the current federal computing\nenvironment and provides for a comprehensive framework for ensuring the effectiveness of\ninformation security controls over information resources that support federal operations and\nassets. FISMA requires agencies, at a minimum, to develop and maintain controls to protect\nfederal information and information systems; improve oversight of federal agency information\nsecurity programs; develop an agency-wide information security plan; incorporate information\nsecurity principles and practices throughout the life cycles of the agency\xe2\x80\x99s information systems;\nand ensure that the information security plan is practiced throughout all life cycles of the\n\n\n                                                                                                     3\n\x0c       agency\xe2\x80\x99s information systems.\n\n        FISMA also assigns the agency\xe2\x80\x99s Chief Information Officer (CIO) the authority and\nresponsibility to administer key functions under the statute, including designating a senior\nagency information security official (CISO) who possesses professional qualifications and\nreports to the CIO and assists the CIO in developing and maintaining an agency-wide\ninformation security program; developing and maintaining information security policies,\nprocedures, and control techniques to address all applicable requirements; training and\noverseeing personnel with significant responsibilities for information security; and assisting\nsenior agency officials with their responsibilities.\n\n         Finally, in addition to a number of other provisions, FISMA requires each agency to have\nperformed an independent evaluation of its information security program and practices. The\nOIG or the independent evaluator performing a review may use any audit, evaluation, or report\nrelating to the effectiveness of the agency\xe2\x80\x99s information security program to do so. The agency\nis required to submit the independent evaluation, along with its own assessment, to OMB as part\nof its annual budget request.\n\nREVIEW FINDINGS\n\n\n             Department\xe2\x80\x99s Progress in Addressing Information Security\n\nEnhanced Performance Measures\n\n       Performance measures are a key requirement of FISMA. Since last year\xe2\x80\x99s evaluation, the\nDepartment has made significant progress in enhancing its process for developing performance\nmeasures. For example, the Department implemented a bureau-level Department FISMA\nscorecard. This performance scorecard, shared internally with senior management, is a one-page\nsnapshot of a bureau\xe2\x80\x99s progress in information assurance. Ratings for performance measures are\nbased on information provided by the bureaus on the POA&Ms process, certification and\naccreditation process, and training statistics.\n\n        The Department has deployed an automated application tool to be used by the bureaus in\nan effort to automate the FISMA reporting process. The tool, which is in the pilot stages, is a\ncommercial product that the Department modified to fit the FISMA reporting needs. The tool is\nexpected to be used by the Department by FY 2005. The automated tool will allow the\nDepartment to standardize web management of self-assessments, POA&Ms, and performance\nmeasures. Further, the tool will allow the Department to identify weaknesses and performance\nmetrics, as well as generate FISMA and other legislative reports. These initiatives have\naddressed a previous OIG recommendation for establishing performance measures and linking\nthem to the POA&Ms process.\n\n\n\n\n                                                                                                 4\n\x0cEffective Information Security Management Procedures\n        OIG selected five systems using a subjective sample to assess the Department\xe2\x80\x99s\ninformation security management procedures. The systems reviewed are used for system\noperations by various bureaus within the Department, including the Bureau of Administration\xe2\x80\x99s\nEmployee Services Center (ESC), Bureau of Consular Affairs\xe2\x80\x99 Passport Information Electronic\nRecords System (PIERS), Bureau of Diplomatic Security\xe2\x80\x99s (DS) Report Management Subsystem\n(RMS), Bureau of Human Resources\xe2\x80\x99 Global Employment Management System (GEMS), and\nOffice of Medical Services\xe2\x80\x99 Electronic Medical Record (EMR). The OIG assessment pertained\nto management and operational controls and focused on security control reviews, personnel\nsecurity, contingency planning, data integrity, security awareness, training, and education.\n\n        As shown in Table 1, the five systems have completed the certification and accreditation\nprocess. All five had a security-level determination, documented risk assessments, and tested\nsecurity controls. Also, the selected systems had a security plan in place. For the certification\nand accreditation process, system owners complied with the Department\xe2\x80\x99s Systems\nAuthorization Process Guide and System Authorization Plan, approved in May 2003 and March\n2003, respectively. The guides provide information on the steps that should be taken by the\nsystem owners and the required documentation for a system to be granted accreditation.\n\n\n      Table 1: Major Information Systems Results for Key System Security Elements\n\n                                                 Security-                  Certified       Tested\n                                      Risk                    Security\nSystem                                             Level                      and          Security\n                                   Assessment                  Plans\n                                                Determined                 Accredited      Controls\nESC                                   Yes           Yes          Yes          Yes            Yes\nPIERS                                 Yes          Yes           Yes          Yes               Yes\n\nRMS                                   Yes          Yes           Yes          Yes               Yes\n\nGEMS                                  Yes          Yes           Yes          Yes               Yes\n\nEMR                                   Yes          Yes           Yes          Yes               Yes\n\n\n         Further, Table 2 shows that all five systems have a trained information systems security\nofficer (ISSO) assigned. A further analysis of the ISSO program is discussed later in the report.\nThe systems also have documented IT system security self-assessments that were performed\nusing the National Institutes of Standards and Technology (NIST) Special Publication 800-26 as\ncriteria. The systems also had updated and tested contingency plans, which were completed as\npart of the certification and accreditation process.\n\n\n          Table 2: Results for Training, Planning, and Self-Assessment Elements\n\n                                                             Contingency Plans\n                                                Trained                                  Security\n System                                                      Developed, Tested,\n                                                 ISSO                               Self-Assessments\n                                                               and Updated\n ESC                                             Yes                Yes                   Yes\n PIERS                                           Yes                Yes                   Yes\n RMS                                             Yes                Yes                   Yes\n GEMS                                            Yes                Yes                   Yes\n EMR                                             Yes                Yes                   Yes\n                                                                                                       5\n\x0c       OIG\xe2\x80\x99s further review of each of these systems revealed the following.\n\n\n\n                 Employee Services Center\n\n        ESC, managed by the Bureau of Administration, is the primary check-in and checkout\npoint for all transferring and in-transit Foreign Service officers and civil service employees on\nexcursion tours. OIG found that the system received full accreditation to operate in March 2004\nfor 36 months. As part of the certification process, the bureau completed the system security\nplan and the contingency plan. The bureau completed the NIST self-assessment and the security\ncontrols for the system, and contingency plans were tested as the system went through the\ncertification and accreditation process.\n\n                             Passport Information Electronic Records System\n\n       PIERS, within the Bureau of Consular Affairs, is an intranet-based interface for\nrecording, tracking and managing the core data related to passport issuance. PIERS operates on\nthe Department\xe2\x80\x99s OpenNet network and offers users from both domestic bureaus and the\noverseas posts the ability to query information pertaining to passports and vital records as well as\nto request original copies of the associated documents. PIERS users are able to create, amend,\nand print vital records. The systems provide both case-based and user-based views of\ninformation as well as support for electronic tracking and reporting of work processes.\n\n       The bureau completed a self-assessment on the system using NIST guidance and tested\nand evaluated the security controls. In addition, the system security and contingency plans for\nPIERS were updated and tested as part of the certification and accreditation process. The system\nreceived full accreditation to operate for 36 months in April 2004.\n\n\n\n\n           Report Management Subsystem\n\n       RMS, managed by DS, is a comprehensive software suite that provides an efficient\nmeans for the bureau to conduct background investigations on individuals referred for security\nclearances and suitability reviews. DS conducted and documented a risk assessment and\ndeveloped and tested a system security plan and contingency plan as part of the certification and\naccreditation process. DS also tested security controls. RMS received full accreditation to\noperate for 36 months in August 2003.\n\n\n\n             Global Employment Management System\n\n       GEMS, managed by the Bureau of Human Resources, is the primary human resources\napplication and centralized personnel database for managing the Department\xe2\x80\x99s human resources.\nThe application is based on a suite of applications used for processing all Department\nemployees\xe2\x80\x99 position management transactions. OIG found that the bureau completed the NIST\n                                                                                                  6\n\x0cself-assessment as the system went through the certification and accreditation process. In\naddition, the bureau updated and tested security and contingency plans. GEMS received full\naccreditation for only 18 months in December 2003 because it will be completing the\ncertification and accreditation process once a system upgrade is completed.\n\n\n\n\n         Electronic Medical Records\n\nEMR, within the Office of Medical Services, establishes the essential medical record\ninfrastructure that the Department must have to provide quality health care services for all U.S.\nforeign affairs agencies worldwide. The EMR provides a single authoritative source of\ninformation that is readily retrievable for patient care, medical evacuations and hospitalizations,\nmedical clearance decisions, medical record release actions, and medical program planning and\nmanagement. It provides a standard, rapid, and secure way to enter new medical record\ninformation into a Department patient\xe2\x80\x99s medical record.\n\n        OIG found that the bureau completed the NIST self-assessment as the system went\nthrough the certification and accreditation process. In addition, the application has updated and\ntested security and contingency plans. EMR received full accreditation for 18 months in March\n2004 and will be recertified and accredited in 2005 after a planned upgrade is completed.\n\nImproved Security Awareness and Role-Based Training\n        The Department divides training into security awareness and role-based activities.\nSecurity awareness briefings help to ensure the confidentiality, integrity, and availability of\nDepartment information by guaranteeing that employees with access to information systems\nhave been made aware of how to protect the Department\xe2\x80\x99s information. Role-based training is\ndesigned to provide specific training to employees that have been identified as having significant\nsecurity responsibilities.\n\n       Security Awareness Training\n\n        Since September 2003, the Department has made significant progress in ensuring that\nemployees receive security awareness training domestically and overseas. The Department\ndeveloped a web-based training tool that is used to meet the requirement that all employees\nreceive annual IT security awareness briefings. With the approval of the Department CISO,\nelements of DS and Bureau of Information Resource Management Office of Information\nAssurance (IRM/IA) worked with the Office of Distance Learning at the Foreign Service\nInstitute to take advantage of its distance learning system. By using this web-based tool, the\nDepartment has the ability to track completion of annual awareness briefings electronically for\neach employee worldwide. Training is tracked at every step from registration through\npresentation and assessment. The training record expires annually and must be renewed. As of\nthe beginning of September 2004, more than 49,000 of the Department\xe2\x80\x99s 49,709 full-time\nemployees, Foreign Service nationals, and contractors (approximately 99 percent) had taken the\nonline security awareness training. The CISO, supported by CIO, has made annual awareness\ntraining mandatory and ensures integration of results into the annual FISMA report for the\nDepartment.\n\n\n                                                                                                      7\n\x0c        The Department\xe2\x80\x99s online security awareness briefings do not address peer-to-peer file-\nsharing policies as suggested by OMB. These policies are discussed with employees only during\nlive security awareness briefings. The Department plans to include file-sharing policies, among\nother relevant policies, in future security awareness briefings.\n\n       Role-Based Training\n\n        The Department has also made progress in ensuring that employees receive training\nbased on their respective IT security roles. The DS training center has a total of seven automated\ninformation system security-related courses and is developing additional courses tailored for\nspecific IT security responsibilities. The CISO approves training curricula for all IT security\ntraining courses. For example, a new training course is being developed for software application\ndevelopers, and it is expected to be ready in FY 2005. Further, other proposed training courses\nfor specific security responsibilities are in preliminary discussions with Department\nrepresentatives.\n\n        The Department identified 1,319 employees with significant IT security responsibilities.\nOf the employees identified, approximately 51 percent, or 673 employees, had received\nspecialized training. As illustrated in Figure 1, this is an increase from last year\xe2\x80\x99s reported\nnumbers of 819 employees out of 2,800, approximately 29 percent, attending the courses.\n\nFigure 1: Role-Based Training Taken by Department IT Security Employees\n\n\n                    Fiscal Year 2003              Fiscal Year 2004\n                                       29%\n\n                                                 49%                 51%\n\n                    71%\n\n                          N=2,800                       N=1,319\n\n                                       number    number not\n                                       trained   trained\n\n\n\n\n       The decrease in the number of employees with significant IT security responsibilities in\nFY 2004 is attributed to the Department\xe2\x80\x99s reassessing job responsibilities for those employees\nreported in FY 2003. The Department credits enhanced reporting of performance measures,\nimplementing the FISMA scorecard, and increasing awareness on training as reasons for the\nincrease in role-based training attendance for this fiscal year.\n\n\n\n\n                                                                                                   8\n\x0c                   Improvements Needed in Addressing\n                   Information Security\n\nPlans of Action and Milestones Process Needs Improvement\n        The Department has improved its POA&Ms process since last year\xe2\x80\x99s evaluation.\nRestructuring of the certification and accreditation process, automation of FISMA data\nsubmissions, and the development of a draft POA&Ms process guide have been instrumental in\nhelping the Department improve identification of its IT security vulnerabilities and address these\nissues through the POA&Ms process. In addition to these efforts, the Department must ensure\nbetter coordination and sharing of information with relevant Department components involved in\nidentifying and addressing IT security vulnerabilities.\n\n        For example, IRM/IA serves as the central point for collecting, analyzing, managing, and\nreporting POA&Ms information to OMB. The current process for collecting POA&Ms data\nrequires each bureau\xe2\x80\x99s program officials and system owners to identify all systems and programs\nfor which they are responsible. These systems and programs are approved through the systems\nauthorization process, which includes certification and accreditation. As part of the systems\nauthorization process, bureau officials conduct self-assessments of their systems and programs to\nidentify vulnerabilities, for which POA&Ms are created to remediate the weaknesses. Further,\nwhen IT security vulnerabilities are identified as a result of IRM/IA\xe2\x80\x99s verification during the\ncertification and accreditation process, external and internal audits, evaluations and inspections,\nor CIP assessments, bureau officials are responsible for creating POA&Ms to mitigate the\nvulnerabilities.\n\n        In an effort to improve the process for creating, analyzing, and reporting POA&Ms\ninformation to IRM/IA and addressing FISMA reporting requirements, the Department\ndeveloped a tool\xe2\x80\x94State Automated FISMA Information Reporting Environment (SAFIRE)\nsystem. Bureau officials are currently using Excel Workbooks to create and submit their\nPOA&Ms data to IRM/IA on a quarterly basis. With the SAFIRE system, bureau officials in FY\n2005 will be able to create new POA&Ms and modify existing ones as needed. This process\nensures that POA&Ms data are current and up-to-date. In addition, the SAFIRE system is\nconnected to capital planning\xe2\x80\x94exhibits 300 and 53 budget submissions\xe2\x80\x94through a unique\nidentifier. IRM/IA officials reported that having this identifier allows for the generation of\nreports to OMB that are indicative of how bureaus are performing. Officials in IRM/IA\nconducted workshops and also provided individual training for bureau officials at domestic\nlocations on how to prepare POA&Ms in the Excel Workbooks, and relied on the regional\nbureaus to share training information with overseas staff. IRM/IA officials are currently training\nDepartment employees on the SAFIRE system and anticipate completing training by the first\nquarter of FY 2005, at which time the bureaus and posts will be required to use SAFIRE for data\nsubmissions.\n\n        Regardless of the efforts described above, the Department needs to ensure better\ncoordination and sharing of information with relevant Department components involved in\nidentifying and addressing IT security vulnerabilities. Specifically, CIP officials need better\ncoordination and sharing of information with IRM/IA to report and track remediation of IT\nsecurity vulnerabilities discovered during CIP assessments, i.e. Vulnerability Assessment\n                                                                                                  9\n\x0cReports. For example, CIP officials reported to OIG that they notify bureau officials of\nvulnerabilities found during assessments, but have only recently begun to share relevant IT\nsecurity vulnerability findings with IRM/IA. As a result, the Department does not know if\nPOA&Ms were generated to address all identified IT weaknesses.\n\n       OIG sent a questionnaire to bureau executive directors requesting information on creating\nPOA&Ms based on external and internal audits, evaluations, and inspections. Results from the\nquestionnaire and analysis of information provided by CIP indicate that no POA&Ms were\ncreated as a result of an IT security vulnerability identified by CIP officials during its last\nVulnerability Assessment Report.\n\n        The Department needs to develop procedures to ensure that IT security findings and\nrecommendations from external and internal reviews are being addressed in the POA&Ms\nprocess. Bureau representatives OIG spoke with were not aware of IT security vulnerabilities\nidentified for their respective posts during OIG and Regional Computer Security Office\ninspections in FY 2004. Also, several bureau representatives responded that they were unaware\nof the type of information to be provided and the responsibilities of the bureaus and IRM\nofficials in ensuring that POA&Ms, if needed, are being done.\n\n       Recommendation 1: The Office of Information Assurance and Critical Infrastructure\n       Protection officials should conduct regular meetings to provide a forum for the sharing of\n       information on information technology security vulnerabilities identified in Vulnerability\n       Assessment Reports.\n\n       Department Response: The Department concurs with the recommendation. The\nDepartment\xe2\x80\x99s Cyber Security Program Management Plan will establish and implement an\ninformation governance structure that contains cross-bureau working-level teams called\nInformation Security Integrated Teams composed of experts and supervisors in each of the main\ninformation security areas, including CIP.\n\n      OIG Comments: OIG accepts the Department\xe2\x80\x99s response and considers this\nrecommendation resolved.\n\n       Recommendation 2: The Office of Information Assurance should develop procedures to\n       ensure that information technology security findings and recommendations from external\n       and internal reviews are being addressed in the plans of action and milestones process.\n\n        Department Response: The Department concurs with the recommendation. The\nDepartment\xe2\x80\x99s Information Security Steering Committee will be charged with providing a\ncomprehensive, collaborative information security management structure. In FY 2004,\nthe Department focused primarily on the identification and remediation of security\nfindings at the system level. Subsequently, the Department is developing a\ncommunication plan to inform program officials about what should be addressed in their\nrespective POA&Ms. The scope would include any recommendations and guidance from\nrecognized federal oversight entities, including OIG, GAO and OMB.\n\n      OIG Comments: OIG accepts the Department\xe2\x80\x99s response and considers this\nrecommendation resolved. However, OIG reiterates that the communication plan to inform\nprogram officials of items to be addressed in their respective POA&Ms must include\nrecommendations and guidance from GAO, OMB, OIG and other Department entities.\n\n                                                                                              10\n\x0c       Recommendation 3: The Chief Information Officer should inform regional bureaus and\n       overseas posts on the responsibilities for creating remediation for identified information\n       technology security vulnerabilities and the type of information required for submission to\n       the Department.\n\n       Department Response: The Department concurs with the recommendation. The\nDepartment\xe2\x80\x99s cyber security communication efforts are ongoing and will continue to\ninclude meetings, notices, memoranda, telegrams, and workshops.\n\n      OIG Comments: OIG accepts the Department\xe2\x80\x99s approach to address the\nrecommendation, and considers this recommendation resolved.\n\nInadequate Inventory of IT Systems\n        The Department has not adequately ensured that all IT systems have been identified and\nincluded in its inventory. FISMA requires that the CIO identify information systems that support\nthe operations and assets of the Department. Using definitions provided by OMB, the\nDepartment identifies each system either as a major application, general support system, other\napplication, or retired system. The Department has made progress in updating its inventory of\napplications and systems domestically. For example, the Department obtains information via\nfunding or connection requests, during the certification and accreditation process, and from\nInformation Technology Change Control Board requests. The Department has initiated site\ninspections overseas to update its inventory of applications and systems. At the time of this\nreport, the Department had visited 59 overseas locations as part of its site authorization process.\nHowever, the Department has more than 290 overseas locations, all of which will not be covered\nduring a single annual reporting period. As a result, the Department does not know the extent of\nits applications and systems. The Department is currently reviewing the site authorization\nprocess responsibility, which is explained later.\n\n       The Department needs to address the number of applications and systems reported in the\nIT Application Baseline (ITAB). ITAB officials are reporting almost 500 applications and\nsystems in the Department, while IRM/IA in its systems authorization process reports over 170\napplications and systems. The Department recognizes that the two reports of applications and\nsystems need to be closer, and have begun to address this issue by conducting working group\nmeetings. With representatives of IRM/IA and ITAB, the working group meetings are\nconducted to ensure that all applications and systems are being reported to the Department and\nbeing vetted through the certification and accreditation process.\n\n       Recommendation 4: The Bureau of Information Resource Management should review\n       the applications and systems reported in the information technology application baseline\n       and determine those to be included in the Department\xe2\x80\x99s inventory.\n\n        Department Response: The Department concurs with the recommendation. The\nITAB partnership is led by IRM, and IRM offices make up the majority voting\nmembership. The current information contained in ITAB is being scrubbed and validated\nby the data owners.\n\n       OIG Comments: OIG accepts the Department\xe2\x80\x99s response and considers this\nrecommendation resolved. The recommendation will be closed when OIG receives the\nDepartment\xe2\x80\x99s inventory after its review of the applications and systems reported in the\ninformation technology application baseline.\n                                                                                                11\n\x0cInadequate Compliance and Identification of Contractor Facilities and\nServices\n        The CIO and Department program officials have not ensured that contractor-provided\nservices or services provided by another agency for their program and systems are adequately\nsecure and meet the requirements of FISMA, OMB policy, and NIST guidance. Although DS\nhas approved 26 contractor services and facilities for connection to OpenNet Plus, the\nDepartment has not identified the full universe of contractor facilities and services and, thus, is\nnot in compliance with FISMA requirements. OIG found that adequate processes and\nprocedures have not been defined and implemented to verify whether those contractor facilities\nand services are being carried out securely. While the Department identified contractor\norganizations that are connected to the Department, further analysis needs to be done for those\ncontractor facilities and services that use their own systems to perform work for the Department.\nThe universe of contractor facilities and services is unknown and potentially significant in\nnumber. The CIO has the responsibility to identify information systems used or operated by a\ncontractor for the Department, in accordance with FISMA, and therefore, this issue must be\naddressed.\n\n       Recommendation 5: The Chief Information Officer should ensure that all contractor\n       services and facilities performing work for the Department are identified and are in\n       accordance with established information security requirements.\n\n        Department Response: The Department concurs with the recommendation. The OIG,\nlike IRM/IA and DS/SI are grappling with defining the implementation of this FISMA\nrequirement. The three offices have agreed to continue meetings to determine an agreed course\nof action. In the interim, the Department has identified the number of contractor facilities and\nthose facilities that exchange data with Department systems. Furthermore, the CISO has polled\nother agencies for their practices in this area.\n\n       OIG Comments: OIG accepts the Department\xe2\x80\x99s response and considers this\nrecommendation resolved. The OIG has an advisory role in assisting the Department in defining\nthe implementation of this FISMA requirement, and the Department has the sole responsibility\nfor ensuring that contractor services and facilities are properly being identified.\n\nPatch Management Needs Improvement\n        The Department\xe2\x80\x99s patch management program needs improvement. Specifically, the\nDepartment\xe2\x80\x99s delegation of patch management roles and responsibilities is unclear. Responsible\nofficials within the Department are not certain who has the responsibility to enforce the\ninstallation of patches. Further, bureaus and overseas posts are not certain of the timeframe and\nimportance for installing patches with different levels of criticality.\n\n        During inspections in FY 2004, OIG identified six locations where patch management\nwas not performed adequately. Two inspections showed the posts did not document patch\ninstallations, and another post was not receiving notification from the Department of recently\nissued patches and was unaware of where to go within the Department to locate information.\nAnother post was unaware of its responsibilities for patch management as outlined in the\nEnterprise Network Management (ENM) Patch Management Standard Operating Procedures,\nwhile another post was completely failing in implementing patch management procedures.\n\n                                                                                                 12\n\x0c        A review of helpdesk inquiries sent to the IRM Info Center illustrated inadequate patch\nmanagement implementation. Of the recorded events that took place from May 2003 through\nMay 2004, there were 18 requests to be added to the patch management notification list, eight\nincidents of incorrect installation of patches, and four requests for determining the location of\nrecent patches. In 2004, in a selective sampling of the Regional Computer Security Officer\nreports on overseas posts, OIG found several cases in which necessary system patches were not\ninstalled. In each of these reports, DS officials recommended corrective action to prevent\npossible disruptions in post operations.\n\n         The Department\xe2\x80\x99s delegation of patch management roles and responsibilities are unclear.\nSpecifically, it is unclear within the Department who has the responsibility to enforce installation\nof patches. OIG had discussions with Department officials and found confusion about which\noffice was responsible for the enforcement of patch installations. ENM officials said that\nIRM/IA is responsible for enforcing the installation of patches, while IRM/IA disagreed and said\nENM is responsible. Not installing patches appropriately places the Department at significant\nrisk when hackers take advantage of known vulnerabilities. The Department must ensure that\nthe relevant parties are performing their duties to prevent possible network vulnerabilities.\nFurther, the Department needs to provide and communicate information on the importance of\ninstalling patches to overseas sites.\n\n         The Department needs to emphasize clearly the importance of each patch. Although the\nENM web site does a relatively good job of defining the different risk levels associated with each\npatch as well as stating that each patch is mandatory, it does not state the timeframe within which\nsites must install each patch. During the FY 2004 inspection cycle, OIG found that information\nmanagement staff or regional security officers who were performing ISSO duties were not\ninstalling those patches classified as low risk, but only installing high and critical patches. OIG\nalso found that the number of patches being applied during calendar year 2004 was extremely\nlow. Information contained in the daily Department Computer Incident Response Team briefing\nshowed a low percentage of high- and medium-risk patches being applied. The percentage of\naffected machines that have had the patch applied ranged from as low as 19.05% and only as\nhigh as 45.55%. These statistics raise concern for several reasons. First, the due date for\ninstallation had passed for all eight patches that were classified as primarily high- and medium-\nlevel patches. Also, numerous machines were left vulnerable to threats that those patches would\nhave addressed.\n\n        The Department has created a Statement of Procedures, which outlines a five-phase life-\ncycle process, including Discovery, Test, Delivery, Validation, and Compliance for the Patch\nManagement Program as required by NIST 800-40 and 5 FAM 800. In the Discovery phase, the\nvendor announces update patches. The patch management office, in conjunction with the United\nStates Computer Emergency Readiness Team (US-CERT) officials, analyzes the patch and\ndetermines the level of vulnerability and critical threat based on the Department\xe2\x80\x99s baseline.\nDuring the Test phase, ENM officials assign each patch a level of risk (i.e., critical, medium,\nlow, or none) based on the level of impact it could have on the network and likelihood of\noccurrence. As part of the Delivery phase, officials post patches onto the Patch Management\nweb site and send notifications to the IRM Info Center for action. The IRM Info Center\ndistributes bulletins to the Department. Patches are then sent to bureaus and posts via the\nSystems Management Server (SMS) or compact disks. In the Validation phase, IRM uses SMS\nto identify successful and unsuccessful patch installations. Unsuccessful installations are\nreviewed by IRM officials to determine the cause. Finally, IRM/IA receives a copy of the\nvalidation report during the Compliance phase. However, no action is taken against posts that do\nnot comply with Department procedures.\n                                                                                                13\n\x0c       Recommendation 6: The Chief Information Officer should ensure that patch\n       management roles and responsibilities are shared with relevant parties within the\n       Department. The information should include responsibilities for installation and\n       enforcement as well as the mandatory timeframe for the installation of patches.\n\n        Department Response: The Department concurs with the recommendation. The\nCIO has established ownership for the Patch Management Program through the ENM\nOffice. This program directly addresses and should satisfy this recommendation with\nrespect to a mandatory timeframe for the installation of patches. Under the direction of\nthe CIO, the ENM Office will provide IRM/IA with patch installation reports on a\ncontinuous basis. IRM/IA will use these reports, together with other relevant\ninformation, to assess risk and monitor compliance. The CIO will continue to coordinate\nthe definition and enforcement of roles and responsibilities for patch management\nbetween IRM/IA and ENM by updating 5 FAM and 12 FAM to delineate patch\nmanagement roles and responsibilities and provide a methodology to address patch\nmanagement noncompliance. In addition, ENM executed a service level agreement with\nInfo Center to assist posts and bureaus with patch management responsibilities.\n\n       OIG Comments: OIG accepts the Department\xe2\x80\x99s response and considers this\nrecommendation resolved. OIG believes that the Department must ensure clear dissemination of\ntimeframes for the installation of patches because overseas posts are inconsistent in\nimplementation even though the Patch Management Program has existed for some time.\n\nRoles and Responsibilities for Information Security Need Close Examination\n        The Department\xe2\x80\x99s management of information systems security contributes to its inability\nto meet all FISMA requirements because information system security roles and responsibilities\nare not sufficiently defined overseas and do not provide the necessary structure to meet\ninformation security responsibilities either domestically or overseas. Responding to identified\nmanagement weaknesses in October 2003, the Department issued a memorandum outlining its\nrevised information security roles and responsibilities and as of the beginning of September\n2004, is again revising the matrix, assigning responsibilities to both IRM and DS. Specifically,\nIRM under the direction of the CIO, is assigned the responsibility to manage the Department\xe2\x80\x99s\ncyber security program, while DS is to handle physical security responsibilities. Under the\nproposed revision, IRM will remain the accrediting authority. DS will have the responsibility for\naddressing site certification of IT assets at all overseas sites, while IRM will address site\ncertification of IT assets at domestic locations.\n\n       FISMA directs that the agency CIO has the responsibility to ensure compliance with\ninformation systems security requirements for the agency, including:\n\n           \xe2\x80\xa2   designating a senior agency information security officer to carry out CIO\n               responsibilities;\n           \xe2\x80\xa2   developing and maintaining an agency-wide information security program;\n           \xe2\x80\xa2   developing and maintaining information security policies, procedures, and\n               controls to address all applicable requirements;\n           \xe2\x80\xa2   training and overseeing personnel with significant responsibilities for information\n               security; and\n           \xe2\x80\xa2   assisting senior agency officials in their responsibilities as outlined in the act.\n\n                                                                                                14\n\x0c       In April 2003, the Department undertook an 18-month project to certify and accredit its\nmajor applications and general support systems. The 18-month project managed by IRM/IA and\naugmented with staff resources from DS is scheduled for completion in September 2004, at\nwhich time it is to be rolled into an ongoing program to address systems authorization for all the\nDepartment\xe2\x80\x99s systems on a 3-year cyclical basis or upon significant change. As of the first week\nin September, the Department had processed and approved 164 of 179, or 92 percent of the\ngeneral support systems and major applications included in the project. Before the project, when\nDS was responsible for certification and IRM was responsible for accreditation, as reported in\nFY 2002, the Department had processed and approved only 4 percent of its major applications\nand general support systems.2 The 18-month project has been coordinated with OMB, and has\nmoved the Department constructively forward to begin meeting FISMA requirements in a key\narea where it previously had been failing.\n\n         In a memorandum dated June 24, 2004, OIG informed DS and the CIO of our concerns\nwith the division of responsibilities in the certification process as the Department moved forward\nwith its system authorization program after the project. OIG strongly encouraged the\nDepartment to maintain its forward progress and momentum by reconsidering the decision to\nsplit the certification responsibility between DS and IRM. The Department\xe2\x80\x99s proposed revision\nof the roles and responsibilities splits the certification process: DS is responsible for site\ncertification of IT assets and IRM/IA is responsible for systems certification and major\nprocessing center facilities. Based on the revised proposal, IRM/IA will retain the responsibility\nfor accreditation and the overall authorization process; however, since the roles and\nresponsibilities are being revised, the impact on the process remains to be determined.\n\n        The proposed division of responsibilities currently does not allow the CIO oversight of\ninformation system functions performed by DS personnel. For example, the October 2003\nmemorandum states that DS personnel are responsible for recommending and developing cyber\nsecurity policy, creating and delivering cyber security training, and carrying out operational and\ntactical components of the Department\xe2\x80\x99s cyber security program. In response to the\nmemorandum, DS established the Office of Security Integrity (DS/SI) to focus on cyber security\nissues. Currently the CIO cannot ensure that the information security responsibilities performed\nby DS are being conducted in an effective and efficient manner because although CIO\ncoordinates with DS, neither CIO nor IRM activities have a mechanism to direct or measure\nwhat DS does to ensure information security. Similarly, under the newly proposed DS\nresponsibilities, the CIO has no mechanism for ensuring that certification of IT assets at more\nthan 200 foreign sites will be carried out in a manner to satisfy IRM/IA criteria.\n\n        OIG questions this reassignment and believes that the success of the 18-month project\ndemonstrates it would be better for IRM/IA to be responsible for managing the certification and\naccreditation program for systems, applications, and sites. As noted earlier in this report,\nIRM/IA conducted 59 site visits in FY 2004 as part of a 3-year program to visit all sites and to\nestablish a Department baseline for site certifications of IT assets to begin in 2007. This\nprogram was curtailed in August 2004 with the intent to pass the responsibility to DS. At the\ntime of this report, no site certification visits for inspection of IT assets were occurring, and DS\nhad not yet finalized a program plan for their conduct. Additionally, DS certification program\nmanagers reported that their direction was to develop the program so it relied on remote testing\nand collection of information as opposed to physically visiting the sites. Also, the DS program\nmanagement was told that no additional funds were to be provided for conducting site\ncertification visits.\n\n2\n    Information Security Program Evaluation ( IT/A-02-06, Sept. 2002).\n                                                                                                   15\n\x0c        OIG is concerned with this direction, and questions whether it will allow the Department\nto meet the objectives in its coordinated efforts with OMB to have in place a viable, forward-\nlooking program ensuring that the necessary information security requirements are met. OIG\nbelieves the 18-month project and the temporary reassignment of resources to IRM for\naddressing the certification and accreditation backlog has proven to be effective. However,\nrecent decisions by the CIO and DS call for a fragmentation of the process by returning overseas\nsite certification of IT assets to DS. To split certification between two bureaus could very easily\nlead to ineffective performance and an inability to assign accountability and, as was the case 2\nyears ago, jeopardizes the Department\xe2\x80\x99s ability to meet FISMA requirements. The Department\nsenior management in its decision on this issue has recognized the absence of performance\nrequirements and the need for performance measures.\n\n        Further, the Department has not provided clear guidance to overseas posts nor ensured\nthat the Foreign Affairs Manual (FAM) and Foreign Affairs Handbook (FAH) are up-to-date on\nposts\xe2\x80\x99 roles and responsibilities for meeting information security management requirements. For\nexample, operations officers at the Regional Information Management Centers and the Regional\nComputer Security Office appear to perform similar functions in many instances. OIG\ninspections have shown numerous examples of the problems in differentiating the information\nsystems security responsibilities of regional security officers and the information management\nofficers, and in some instances, functions are not being performed at all.\n\n        IRM\xe2\x80\x99s proposed funding for its information assurance activities in FYs 2005 and 2006\ndoes not fully support IRM/IA\xe2\x80\x99s proposed certification and accreditation program requirements.\nIn accordance with FISMA and its implementing guidance, a viable program must include all\nsystems and applications, not just those that are identified as general support systems and major\napplications. In order to meet the program requirements, the Department must include all of its\nsystems and applications. As of the end of August 2004, the Department\xe2\x80\x99s universe of systems,\nmajor applications, and minor applications totaled almost 500. Although the Department showed\nsignificant progress with its 18-month project by authorizing processing for 163 general support\nsystems and major applications, a viable program within the Department must address about\nthree times that number for certification and accreditation.\n\n        At the beginning of September 2004, OIG found that the preliminary FY 2005 budget for\nIRM/IA did not include sufficient money to meet projected costs for operating the certification\nand accreditation program. While not yet finalized in early September for use in this report, the\nIRM funding proposal for all of IRM/IA\xe2\x80\x99s activities was approximately $12 million to cover both\nFYs 2005 and 2006. OIG anticipates this proposed funding level will not support the required\ncertification and accreditation program as envisioned by IRM/IA or FISMA guidance. The\nproposed funding, when compared to IRM/IA\xe2\x80\x99s submitted budget request, is short by about $6\nmillion in FY 2005 and $12 million in FY 2006. Also, the Department, under newly revised\ndraft roles and responsibilities, has reassigned the responsibility for site certification of IT assets\nto DS, but as of the end of August 2004, the FY 2005 budget did not include enough money to\nfund site visits to certify IT assets.\n\n       In its response to a final draft of this report, the Department said the following:\n\n               \xe2\x80\x9cWe believe the structure and accountability systems are in place\n               to meet FISMA certification and accreditation responsibilities\n               through a shared CIO and DS approach. The CIO will articulate\n               his certification and accreditation requirements and IRM and DS\n                                                                                                    16\n\x0c               will execute their respective responsibilities... The Department\n               agrees that the CIO is responsible for all certification and\n               accreditation. DS has transferred to IRM complete functional\n               responsibility and the associated resources for certification and\n               accreditation of all major applications and general support systems.\n               The CIO has requested and DS has agreed to perform site\n               activities. Where appropriate, site visits will be conducted as part\n               of a joint IRM and DS team. Although performed by DS, the site\n               activities will fit into the overall authorization program run by\n               IRM. The CIO will continue to have oversight authority over the\n               DS contribution to certification and accreditation.\xe2\x80\x9d\n\n        In the final draft report responded to by the Department, OIG included two\nrecommendations directing that all functional activities and associated appropriations relating to\nthe certification and accreditation process should remain permanently with the CIO. On the\nbasis of the Department responses to the draft, we have chosen to withdraw those\nrecommendations. OIG remains concerned as stated above, and we will continue to monitor as\nthe Department moves forward on this initiative. OIG requests that the CIO keep us informed on\nits progress in developing certification performance requirements and criteria and further\ndelineating the roles and responsibilities for information systems security. OIG will have the\ncertification and accreditation process and roles and responsibilities of information systems\nsecurity as a focal point for FY 2005 inspections and FISMA work that we will conduct.\n\n       Recommendation 7: The Under Secretary for Management should direct that annual\n       funding be established to meet the Department\xe2\x80\x99s full information technology certification\n       and accreditation program requirements.\n\n      Department Response: The Department concurs with the recommendation.\nIRM/IA is developing a detailed budget impact assessment that supports this\nrecommendation. IRM/EX is working to increase proposed funding levels to ensure the\nIRM/IA program will not become noncompliant with the requisite authorities (FISMA,\nOMB and congressional scoring).\n\n         OIG Comments: OIG accepts the Department\xe2\x80\x99s response but considers it to be\nrestrictive. If DS is to have responsibility for a portion of the certification program and process,\nthen it must be included in and contribute to the detailed budget plans. This recommendation is\nunresolved.\n\n       Recommendation 8: The Chief Information Officer should provide guidance and direct\n       the appropriate bureaus to revise annually, or sooner if significant changes occur, the\n       information security management and technical aspects of the relevant Foreign Affairs\n       Manual and Foreign Affairs Handbook chapters and sections.\n\n       Department Response: The Department concurs with the recommendation.\nInformation Security Management is addressed in both the Foreign Affairs Manual (the\nrequirements) and the Foreign Affairs Handbook. The CISO will continue to address and\ncoordinate policy review and development activities with appropriate bureaus, in carrying\nout CIO-designated FISMA responsibilities. The same process applies to the update and\nreview of information security procedures for the Foreign Affairs Handbook.\n\n\n                                                                                                  17\n\x0c      OIG Comments: OIG accepts the Department\xe2\x80\x99s response and considers this\n recommendation resolved.\n\n\n\n\n         Information Security Management Deficiencies at Overseas Sites\n        OIG conducted information security inspections at 34 sites during FY 2004. OIG found\nnumerous issues that should be addressed by the Department to ensure effective implementation\nof information security at overseas sites. Besides Patch Management Program deficiencies as\ndescribed earlier, the Department\xe2\x80\x99s ISSO program was not meeting its objectives; several sites\nlacked required security documentation; inappropriate material was downloaded to post servers\nand users\xe2\x80\x99 computers; and Department configuration standards were not being met.\n\n       ISSO Program Weaknesses\n\n         Designating information management and information systems staff as ISSOs must be\nmanaged diligently to maintain independent monitoring and checking of both systems\nmanagement and operations. Recent efforts by the Department, such as sending cables to\noverseas posts outlining ISSO responsibilities, have been an improvement in the management of\ninformation security roles and responsibilities; however, more must be done. For example, at\nfive sites visited, there was inadequate segregation between information management and\ninformation security duties and responsibilities. At one site, the ISSO is also the information\nsystems officer and communications security (COMSEC) custodian. At another site, the\ninformation program specialist responsible for the classified system is also the ISSO for that\nsystem. In addition, one site\xe2\x80\x99s information management and information systems are generally\neffective, but lack independent oversight. The ISSO at this site oversees the administration of\nthe bureau\xe2\x80\x99s unclassified and classified information systems, creating inadequate segregation of\nduties because the ISSO, who has systems administration responsibilities, also has security\noversight authority for those systems.\n\n        Further, although much of the responsibility for securing information and IT system\nassets has been placed with the ISSO, in most instances these duties were assigned on a collateral\nbasis and were not the primary duties of the individual designated as the ISSO. The collateral\nnature of these assignments reduces the time available to perform ISSO duties because the\nincumbents view them as secondary. For example, at one site, the ISSO performed\nresponsibilities in conjunction with primary duties as a computer specialist and informed the\ninspection team that duties are not performed fully because both responsibilities were\noverwhelming. Further, at two sites, the ISSOs were not adequately performing their duties,\nsuch as documenting monthly and annual reviews of randomly selected libraries, reviews of user\nand system operational practice, and reviews of audit logs. One ISSO reported that there is no\ntime to develop written procedures to instruct users to report incidents because of the multiple\nresponsibilities as system administrator, COMSEC custodian, and ISSO.\n\n        In August 2003, the Department presented a recommendation for the CIO to institute a\ncareer field for cyber security practitioners. According to the Department, the recommended\napproach will leverage existing resources to maximum effect and provide a streamlined force to\nenhance compliance with federal mandates. As stated by the Department, regional security\nofficers and security engineering officers readily acknowledge that ISSO duties do not fall within\ntheir core competencies. As a result, the work falls to the information management specialist,\nwhose ISSO responsibilities are collateral to other assigned duties. The recommendation to\n                                                                                                18\n\x0cthe CIO included institutionalizing a skill matrix for the cyber security practitioners, developing\nan outreach program managed by a seasoned ISSO liaison, and establishing a cyber security skill\ncode enabling growth opportunities throughout the information infrastructure.\n\n         At the time of this report, the Department issued a cable to posts reiterating the ISSO\nprogram responsibilities. The cable stated that posts should ensure that IRM staff are properly\nassigned ISSO responsibilities before nonregulatory functions are performed. In addition to the\ncable, the ISSO liaison office was established with responsibility to handle overseas and\ndomestic monitoring issues. The ISSO liaison was in the process of developing a mailing list\nwith all ISSOs to disseminate relevant ISSO information. The ISSO liaison office also ensured\nthat it was included in all communications between the CIO and Computer Incident Response\nTeam to be kept aware of any changes and issues affecting the ISSO program.\n\n       Lack of Documentation\n\n        OIG found that overseas posts do not have the necessary systems documentation for their\nrespective embassies. For example, two sites reviewed did not have a documented contingency\nplan for the automated information systems as required by 12 FAM 622.3 and 12 FAM 632.3.\nFurther, five sites did not have an adequate site IT strategic plan that covers the embassy\xe2\x80\x99s\noperational, technical, and staffing needs as required by 5 FAM 121.1. Also, two sites did not\nhave a life cycle plan for all IT equipment, nor did they have a bureau-specific IT budget plan\nthat includes life cycle costs. Finally, six sites did not have a current, documented, and approved\ninformation system security program plan for their information systems in compliance with 12\nFAM 632.4 and 12 FAM 622.4.\n\n       Inappropriate Material on Networks\n\n       OIG found several instances of inappropriate material on embassy networks. For\nexample, one site had several instances of inappropriate material on the servers. This included\nexcessive personal use and storing of digital pictures, and downloading and using prohibited\nsoftware. Further, at two sites, the inspection team found inappropriate material on individual\nsystems. Information management staff was not ensuring and conducting periodic reviews of\nunclassified systems, checking for inappropriate material, such as executable files, pictures, and\nmusic files. As a result, systems could be vulnerable to viruses, which would greatly reduce the\nproductivity and compromise system security.\n\n       Configuration Issues\n\n        OIG found configuration issues at some sites visited during the inspection cycle. For\nexample, one site was using naming conventions for its computers and servers that did not follow\nIRM\xe2\x80\x99s Standard for Network Naming and Addressing guidelines. Another site had incorrect\ndocumentation for local configuration control board decisions that did not comply with\nDepartment guidance on testing and evaluation reports. There was also no indication at this site\nthat the local control board had reported all locally approved software to the Department. One\nsite was using software that was not approved by the control board for installation and usage. In\nsome instances, the Department software identified false positives.\n\n\n\n\n                                                                                                19\n\x0c                             Recommendations\n\n\nRecommendation 1: The Office of Information Assurance and Critical Infrastructure\nProtection officials should conduct regular meetings to provide a forum for the sharing of\ninformation on information technology security vulnerabilities identified in Vulnerability\nAssessment Reports.\n\nRecommendation 2: The Office of Information Assurance should develop procedures to\nensure that information technology security findings and recommendations from external\nand internal reviews are being addressed in the plans of action and milestones process.\n\nRecommendation 3: The Chief Information Officer should inform regional bureaus and\noverseas posts on the responsibilities for creating remediation for identified information\ntechnology security vulnerabilities and the type of information required for submission to\nthe Department.\n\nRecommendation 4: The Bureau of Information Resource Management should review\nthe applications and systems reported in the information technology application baseline\nand determine those to be included in the Department\xe2\x80\x99s inventory.\n\nRecommendation 5: The Chief Information Officer should ensure that all contractor\nservices and facilities performing work for the Department are identified and are in\naccordance with established information security requirements.\n\nRecommendation 6: The Chief Information Officer should ensure that patch\nmanagement roles and responsibilities are shared with relevant parties within the\nDepartment. The information should include responsibilities for installation and\nenforcement as well as the mandatory timeframe for the installation of patches.\n\nRecommendation 7: The Under Secretary for Management should direct that annual\nfunding be established to meet the Department\xe2\x80\x99s full information technology certification\nand accreditation program requirements.\n\nRecommendation 8: The Chief Information Officer should provide guidance and direct\nthe appropriate bureaus to revise annually, or sooner if significant changes occur, the\ninformation security management and technical aspects of the relevant Foreign Affairs\nManual and Foreign Affairs Handbook chapters and sections.\n\n\n\n\n                                                                                       20\n\x0c          Abbreviations\n\nCIO              Chief Information Officer\nCIP              Critical Infrastructure Protection\nCISO             Chief Information Security Officer\nCOMSEC           Communications security\nDepartment       Department of State\nDS               Diplomatic Security\nEMR              Electronic Medical Record\nENM              Enterprise Network Management\nESC              Employee Services Center\nFISMA            Federal Information Security Management Act\nGEMS             Global Employment Management System\nIRM/IA           Bureau of Information Resource Management,\n                 Office of Information Assurance\nISSO             Information Systems Security Officer\nIT               Information technology\nITAB             IT Application Baseline\nOIG              Office of Inspector General\nOMB              Office of Management and Budget\nPIERS            Passport Information Electronic Records\n                 System\nPOA&M            Plans of Action and Milestones\nRMS              Report Management Subsystem\nSAFIRE           State Automated FISMA Information\n                 Reporting Environment\nSMS              Systems Management Server\nUS-CERT          United States Computer Emergency Readiness\n                 Team\n\n\n\n\n                                                          21\n\x0c                                                                                   Appendix A\n\n                         Objectives, Scope, and Methodology\n        The objective of this review was to assess the overall effectiveness of the Department\xe2\x80\x99s\ninformation security program. Specifically, the review included identifying the total number of\nprograms and systems in the agency; identifying and reporting material weaknesses in policies,\nprocedures, or practices; and describing steps taken by the agency to implement and enforce the\nFISMA\xe2\x80\x99s CIO responsibilities and authorities. Also, the review included evaluating measures of\nperformance; employee training; security incidents response; and development, implementation,\nand management of the agency-wide plans of action and milestones process. Further, the review\nincluded how the agency employs system configuration management and system security\nsettings and maintains the Patch Management Program.\n        To meet its review objectives, OIG first researched U.S. laws and federal guidance to\nidentify relevant criteria for implementing and managing information security programs. OIG\nthen reviewed its own previous reports that evaluate the Department\xe2\x80\x99s information security\nprogram to identify previous issues requiring updating. OIG also reviewed documents provided\nfrom Department officials, including but not limited to, corrective action plans, standard\noperating procedures, process guides, and system authorization plans.\n        OIG met with officials from DS and IRM to discuss the Department\xe2\x80\x99s procedures for\ngranting approval to contractor services or facilities, coordination and communication with CIP\nofficials, and their assessment of the Department\xe2\x80\x99s implementing information system security\nroles and responsibilities. OIG also met with CIP and Computer Incident Response Team\nofficials to obtain information about procedures for reporting security incidents and\ncommunicating with Department officials. OIG also attended working group meetings regularly\nwith IRM/IA officials to obtain necessary information for completing the OMB FISMA report\nand OIG independent evaluation report. Meetings were conducted with Foreign Service\nInstitute representatives to obtain information regarding the Department\xe2\x80\x99s training program.\nOIG also selected a subjective sample of the Department\xe2\x80\x99s systems to evaluate the certification\nand accreditation process. Further, OIG selected several reports of inspection conducted during\nFY 2004 to evaluate the Department\xe2\x80\x99s information security implementation, including the\nPOA&Ms process. This included selecting IT security recommendations and speaking with\nbureau executive officials to determine what was done to address each IT security finding.\n\n        OIG\xe2\x80\x99s Information Technology Office performed this evaluation from March 2004\nthrough September 2004. Contributors to this report were Lynn Allen, Mary Heard, James\nDavies, Vandana Patel, Pamela Young, and Brandon Carter. Comments or questions about the\nreport can be directed to Mr. Lynn Allen at allenlx@state.gov or 703-284-2652, or to Mr. James\nDavies at daviesj@state.gov or (703) 284-2673.\n\n\n\n\n                                                                                              22\n\x0c23\n\x0c24\n\x0c25\n\x0c26\n\x0c27\n\x0c28\n\x0cFRAUD, WASTE, ABUSE, OR MISMANAGEMENT\n              of Federal programs\n         and resources hurts everyone.\n\n       Call the Office of Inspector General\n                    HOTLINE\n                   202-647-3320\n                or 1-800-409-9926\n         or e-mail oighotline@state.gov\n      to report illegal or wasteful activities.\n\n              You may also write to\n           Office of Inspector General\n            U.S. Department of State\n              Post Office Box 9778\n              Arlington, VA 22219\n           Please visit our Web site at:\n               http://oig.state.gov\n\n        Cables to the Inspector General\n       should be slugged \xe2\x80\x9cOIG Channel\xe2\x80\x9d\n           to ensure confidentiality.\n\x0c'